Cyber security and the energy Trilemma – Part 3

By
Martyn Ruks,
21 May 2015

What steps can be taken to overcome the 'trilemma'?

So as we have seen the challenges surrounding cyber security in the Energy sector link directly back to the trilemma we are facing. So where should organisations be focusing their efforts when it comes to getting cyber security right. It’s also worth remembering that if we can solve these problems to protect against the most skilled attackers out there, everyone else should be straightforward to handle. At MWR we have identified four key areas that are the foundations to getting our approach right:

1. GovernanceThe organisation will only follow if the leaders set the standard. Therefore, it’s critical that cyber security is sponsored right from the top of the business and is managed effectively right down to the shop floor. Governance models such as ISO 27001 can be used to support this but be warned that they will only be effective if they accurately map to the systems and technologies that you are using.

2. VendorsCyber Security is ultimately a technical problem as without technology we would not be facing the challenges we are. Therefore, the problem does map back to the people who design, manufacture, install and run the technology we use. Within the energy sector there is one key group on whom everyone else relies, the technology vendors themselves. It is important that our vendors understand how to get cyber security right and build in the right controls into our systems with the level of security quality that’s needed to protect us against attack.

3. Design and ArchitectureThe security of the technologies within the complex systems we find across the sector, such as the Smart Grid, can be significantly enhanced by the design and architecture of the system or environment they sit within. Using effective architectural patterns and the right combination of security controls that are closely aligned to the threats that we are facing we can provide a solid foundation on which to build.

4. Education and AwarenessIn order to execute all of this well needs an entire industry to understand both the challenges and what the right solutions are. That needs us to educate everyone so that they understand what their part is in this space and where they can get help when they need it.

One thing that is clear from these solutions is that no one organisation or company can or should be solving them all or in one go. It is therefore important that the industry as a whole comes together to address the issues. All parts of the industry are acutely aware of the trilemma so helping the industry to understand the challenges and opportunities in cyber security is achievable. By building our knowledge of best practice and cross industry solutions we can make progress and at MWR we will be working to support those efforts.

Conclusions

It may not seem like it to the many people in the Energy sector having to deal with the trilemma, but Cyber Security needs to be included in the approach that we are using to face it. Otherwise our adversaries who have increasing capability to impact the sector will use the political benefits of governmental failings in the Energy sector to cause their damage. Not only does this have ramifications for Governments around the world, such attacks will have a ripple effect on everyone within the sector and its supply chain as we have discussed.

This is without factoring in all the other attackers who might seek to gain from security weaknesses in the sector. It is therefore important that there is a collective effort to address some of the issues that will arise if the right path is not taken towards our Smart Energy future.

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.